Vendor description=================="Remedy Service Management Suite is an enterprise service managementplatform built natively for mobile with an intuitive, people-centricuser experience that makes your whole organization more productive."Source: http://www.bmc.com/it-solutions/remedy-itsm.html

Vulnerability Disclosure Timeline:==================================2017-07-14: Vulnerability details sent.2017-07-14: Vendor: PGP key was rotated.2017-07-15: Vulnerability details sent with their new PGP key.2017-07-17: Vendor: Acknowledged received report.2017-07-21: Vulnerability details sent for newly found vulnerabilities.2017-07-25: Vendor: Response to first report (2017-07-15), see VendorResponse section2017-08-01: Vendor: Acknowledged receiving the second report2017-08-04: Response to vendor response. 90 days deadline given.2017-10-04: Request for update.

For any updates visit:https://outpost24.com/bmc-remedy-vulnerabilities-identified

Remote and Local File Inclusion===============================The remedy system exposes the birt report engine, allowing for anattacker to include arbitrary external or internal files. Due to thelack of restrictions on what can be targeted, this opens up the systemfor many potential attacks, such as system fingerprinting, internal portscanning, SSRF, or remote code execution.

Internal Path Disclosure========================The remedy system exposes the birt report engine, allowing for anattacker to disclose the internal filepath through its verbose errormessage, by including a non-existent file.

Cross-Site Script Include=========================BMC uses dynamically generated javascript to provide environmentalvariables for the users, this could be included by a maliciousthird-party site, and used to steal the CSRF token.

Log Hijacking=============The remote logging of the remedy system can be accessed byunauthenticated users, allowing for an attacker to hijack the systemlogs. This data can include usernames, as well as HTTP data, includingcookies.

Session Token Disclosure========================Some HTTP responses include the value of the session token, allowing ajavascript to bypass the httponly flag on the session cookie and steal it.

Authenticated Code Execution===========================Authenticated users that have the right to create reports, can use thebirt templating to gain code execution. Access to this functionalityappears to be granted to all users by default.

Vendor Response===============Remote and Local File Inclusion: vendor referred to a communities postand existing CVEs; post claimed that the issue has been fixed in laterversions, however, testing confirms the vulnerability to still bepresent; existing CVE misclassifies finding as a plain contentinclusion. We informed them of these issues; no response from vendor.

Internal Path Disclosure: vendor referred to a hotfix on theircommunities page; however, this hotfix will not work. We informed themof these issues; no response from vendor.